We discovered a major security flaw in the iOS 10 backup protection mechanism. This security flaw allowed us developing a new attack that is able to bypass certain security checks when enumerating passwords protecting local (iTunes) backups made by iOS 10 devices.

The impact of this security weakness is severe. An early CPU-only implementation of this attack (available in Elcomsoft Phone Breaker 6.10) gives a 40-times performance boost compared to a fully optimized GPU-assisted attack on iOS 9 backups.

What’s It All About?

When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.

This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the ‘new’ password verification method exists in parallel with the ‘old’ method, which continues to work with the same slow speeds as before.

By exploiting the new password verification mechanism, we were able to support it in our latest update, Elcomsoft Phone Breaker 6.10. Since this is all too new, there is no GPU acceleration support for the new attack. However, even without GPU acceleration the new method works 40 times faster compared to the old method *with* GPU acceleration.

Why Backups?

Apple smartphones are secure. iOS is also secure, and gets tougher with each subsequent generation. With no jailbreak available for iOS 10, physical acquisition is out of the question even on older devices and even if you know the passcode. Cloud acquisition is only possible if you know the user’s Apple ID and password (or have access to the user’s computer with iCloud Control Panel to extract an authentication token), but even then you won’t be able to decrypt the keychain.

This leaves us to logical acquisition. Forcing an iPhone or iPad to produce an offline backup and analyzing resulting data is one of the very few acquisition options available for devices running iOS 10. Local backups are easy to produce if the iPhone is unlocked. However, you may be able to produce a local backup even if the phone is locked by using a pairing record extracted from a trusted computer.

If you are able to break the password, you’ll be able to decrypt the entire content of the backup including the keychain. At this time, logical acquisition remains the only acquisition option available for iPhone 5s, 6/6Plus, 6s/6sPlus and 7/7Plus running iOS 10 that offers access to device keychain.

The Keychain

Keychain is Apple’s protected storage that is additionally encrypted on a file level (on top of the already active full-disk encryption that works on a block level). While stored on the device, the keychain is encrypted with a key that is buried deep in Secure Enclave. Even if you can jailbreak a 64-bit iOS device (iPhone 5s and newer), you would still be unable to extract decryption keys for the keychain.

Logical acquisition (via password-protected iTunes backups) is currently the only way to extract and decrypt keychain data out of an iOS 10 device. What is there anyway?

At this time, we have an early implementation featuring CPU-only recovery. The new security check is approximately 2,500 times weaker compared to the old one that was used in iOS 9 backups. At this time, we are getting these speeds:

iOS 9 (CPU): 2,400 passwords per second (Intel i5)

iOS 9 (GPU): 150,000 passwords per second (NVIDIA GTX 1080)

iOS 10 (CPU): 6,000,000 passwords per second (Intel i5)

Maybe Even Faster

What if brute-force does not seem work? If this is the case, Elcomsoft Phone Breaker comes with a number of smart attacks, allowing you using variations and combinations of dictionary words to compose passwords that are likely to be used by a real person. You can also obtain the Top 10,000 Passwords or the Top 10 Million Passwords list (https://xato.net/10-000-top-passwords-6d6380716fe0) and let Elcomsoft Phone Breaker spend a few moments trying those before building your own dictionary. Statistics show that top 10,000 passwords are used in about 30% of all cases, while the Top 10 Million Passwords list gives approximately 34% success rate in real-world cases.

Combining these lists with your own custom dictionary and letting Elcomsoft Phone Breaker 6.10 run for two days gives about 80 to 90 per cent chance of successful recovery. You may continue crunching passwords beyond that point.

Download the Tool

Elcomsoft Phone Breaker 6.10 is immediately available with 6 million passwords per second (CPU only) for iOS 10 backups. You are welcome to update right away.

Further research is required to build an optimized GPU-assisted attack. We’ll let you know once we have it.

Thanks for this. Esp interesting: “Even without GPU acceleration the new method works 40 times faster compared to the old method *with* GPU acceleration”… and the passwords for sure are not…
),}j~d`%1H.E_WQD7|C|u%K^+x9oe&1S

> While stored on the device, the keychain is encrypted with a key that is buried deep in Secure Enclave. Even if you can jailbreak a 64-bit iOS device (iPhone 5s and newer), you would still be unable to extract decryption keys for the keychain.

I thought that jailbreaking the iPhone allows you to dump the keychain if there is no passcode?